Sigma rules for CVE-2012-0105
1 rules · scoped to cve · back to CVE-2012-0105
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: test
description: |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
author: frack113, Duc.Le-GTSC
date: 2021-08-03
modified: 2022-03-03
tags:
- attack.discovery
- attack.stealth
- attack.t1497.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
selection_module:
ScriptBlockText|contains:
- MSAcpi_ThermalZoneTemperature
- Win32_ComputerSystem
condition: all of selection*
falsepositives:
- Unknown
level: medium